productsign help

Hello all!

I am having difficulty understanding the signing of Packages, which I use for Distribution outside of the App Store. I have a valid Apple Developer Installer certificate I use with the `productsign --sign` command which I will demonstrate below. All machines involved were running OS X 10.10.2. The package in question is a ~500Mb flat package generated using PackageMaker.app available via Xcode Tools. The pkg itself was generated via the following command (posting this, just in case that matters):

[/tmp]> /Applications/PackageMaker.app/Contents/MacOS/PackageMaker --doc /tmp/UNSIGNED.pmdoc

[/tmp]> file unsigned.pkg

unsigned.pkg: xar archive - version 1

First, some verification steps:

[/tmp]> pkgutil --check-signature unsigned.pkg

Package "unsigned.pkg":

Status: no signature

I now sign the package:

[/tmp]> productsign --sign "3rd Party Mac Developer Installer: some company (ABC123)" unsigned.pkg signed.pkg

productsign: signing product with identity "3rd Party Mac Developer Installer: some company (ABC123)" from keychain /Users/needshelp/Library/Keychains/login.keychain

productsign: adding certificate "Apple Worldwide Developer Relations Certification Authority"

productsign: adding certificate "Apple Root CA"

productsign: Wrote signed product archive to signed.pkg

And, some verification for good measure:

[/tmp]> pkgutil --check-signature signed.pkg

Package "signed.pkg":

Status: signed by a developer certificate issued by Apple

Certificate Chain:

1. 3rd Party Mac Developer Installer: some company (ABC123)

SHA1 fingerprint: A0 2B 94 FD 70 8A D4 A8 4F A7 CE 13 DB E3 A2 13 D1 CC 92 09

-----------------------------------------------------------------------------

2. Apple Worldwide Developer Relations Certification Authority

SHA1 fingerprint: 09 50 B6 CD 3D 2F 37 EA 24 6A 1A AA 20 DF AA DB D6 FE 1F 75

-----------------------------------------------------------------------------

3. Apple Root CA

SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C

Looks good, how about the GateKeeper test:

[/tmp]> spctl -a -vvv --type install signed.pkg

signed.pkg: rejected

origin=3rd Party Mac Developer Installer: some company (ABC123)

Failed...? Lets try to use it anyway. `scp signed.pkg someuser@someothermachine:~/` and attempt to install the package while GateKeeper is enabled on a newly imaged machine... Success. Shows a 'valid' certificate by clicking the little lock icon at the top right and everything. However... when a person uses Safari, Chrome or FireFox to download this package, it fails. Using `curl` works. Basically, the package _is_ signed. But for some reason when you download this package, metadata is created, and that is somehow upsetting GateKeeper. When you clear this metadata:

xattr -c signed.pkg

open signed.pkg

GateKeeper is happy once again. I have tried downloading the package securely using a valid Startcom SSL Certificate (HTTPS Download), and in the clear (HTTP). It does not seem to matter.

Furthermore, and this is the part I really do not understand, I have found that I can scp or curl the unsigned.pkg to a newly imaged machine, with GateKeeper enabled and that works as well. There is no lock at the top right, and we are allowed to install an unsigned untrusted package. Does this mean a package is only checked for validity when downloaded from the internet using a popular web browser? Does GateKeeper not care about signed applications, but only this 'metadata' stuff?

My hope, is that I am missing something simple. But clearly, GateKeeper is not doing what I thought it should be doing.

Thank you all for any help and or thoughts you have the matter!

Jason